Tag: Fred Trotter

Taking on Facebook for Health Data Privacy: Fred Trotter, CareSet Systems

Sep 18, 2019

By JESSICA DaMASSA, WTF HEALTH

While patients can often find comfort, compassion, and support in Facebook Groups dedicated to their health conditions, they don’t realize that their identity, location, and email addresses can be found quite easily by other members of their closed group — some of whom may not have well-meaning purposes for that information. Called a Strict Inclusion Closed Group Reverse Lookup (SICGRL) attack, this is a privacy violation of unprecedented magnitude.

Fred Trotter is one of the leaders of a group of activists co-led by Andrea Downing and David Harlow that is taking on Facebook to correct this health data privacy violation.

While this interview was filmed at Health Datapalooza in the Spring of this year, Fred has just published an update that details how Facebook continues to ignore the issue and remains unwilling to collaborate on a solution.

Catch up on the background behind this data privacy issue — currently, one of the most important opportunities we as healthcare innovators have to learn about what NOT to do when it comes to user privacy and sensitive data.

Health in 2 Point 00, Episode 75 | Rounds & IPOs, Health Datapalooza, & the Facebook Controversy

Mar 28, 2019

Today on Health in 2 Point 00, Jess and I are at 10th annual Health Datapalooza in Washington D.C.! Jess talks to me about Xealth’s $11 million round to develop out its company, and Change Healthcare is applying for a $100 million IPO. The big takeaways from Health Datapalooza are that many people and companies have integrated data into their systems, but they haven’t been able to gain many actionable insights from it. Also, if you haven’t heard of the complaint Andrea Downing, Fred Trotter, and David Harlow wrote to the FTC concerning the privacy and data that can be downloaded from Facebook’s groups, you better check it out. It details out the concern that Facebook is not protecting the data of patients as anyone can download sensitive data from the groups and use it — Matthew Holt

Health in 2 Point 00, Episode 61

Dec 7, 2018

On Episode 61 of Health in 2 Point 00, Jess and I are still in Tokyo—but this time we’re reporting from a famous whiskey bar. In this episode, Jess asks me about the most important takeaways from Health 2.0 Asia-Japan and the growing health tech market there. We also have two special guest stars today: Yuuri Ueda, the director of Health 2.0 Asia-Japan, tells us how loosening government regulations are opening up opportunities for more and more startups to break into telemedicine, and Fred Trotter explains how Japanese startups can learn from the U.S. in terms of data security and privacy. All this in (exactly) two minutes.

There’s so much more from Health 2.0 Asia-Japan that you all need to see, so keep an eye out on THCB for my three-point takeaway from the conference and be sure to watch Jess’s WTF Health interviews to hear from amazing people in the Asian health tech community —Matthew Holt.

Practical Collaborative Document Writing for Patient Communities

Dec 1, 2018

By FRED TROTTER

I have a lot of experience with collaborative document writing, and now, in my role with Cautious Patient Foundation, I have been providing technical help to several patient communities. I helped write the security standards for the NWHIN Direct project and I am currently working with the e-patient/QS community to create a document detailing Doctor friendly Quants and Quant friendly Doctors.

My advice is pretty simple:

Use a forum, either a facebook thread or a mailing list to determine who the primary authors should be, and what the general content of the document should be.Continue reading…

Who Owns Patient Data?

Nov 1, 2018

By Fred Trotter

Who owns a patient’s health information?

The patient to whom it refers?
The health provider that created it?
The IT specialist who has the greatest control over it?

The notion of ownership is inadequate for health information. For instance, no one has an absolute right to destroy health information. But we all understand what it means to own an automobile: You can drive the car you own into a tree or into the ocean if you want to. No one has the legal right to do things like that to a “master copy” of health information.

All of the groups above have a complex series of rights and responsibilities relating to health information that should never be trivialized into ownership.

Raising the question of ownership at all is a hash argument. What is a hash argument? Here’s how Julian Sanchez describes it:

“Come to think of it, there’s a certain class of rhetoric I’m going to call the ‘one-way hash‘ argument. Most modern cryptographic systems in wide use are based on a certain mathematical asymmetry: You can multiply a couple of large prime numbers much (much, much, much, much) more quickly than you can factor the product back into primes. A one-way hash is a kind of ‘fingerprint’ for messages based on the same mathematical idea: It’s really easy to run the algorithm in one direction, but much harder and more time consuming to undo. Certain bad arguments work the same way — skim online debates between biologists and earnest ID (Intelligent Design) aficionados armed with talking points if you want a few examples: The talking point on one side is just complex enough that it’s both intelligible — even somewhat intuitive — to the layman and sounds as though it might qualify as some kind of insight … The rebuttal, by contrast, may require explaining a whole series of preliminary concepts before it’s really possible to explain why the talking point is wrong.”

Is Obamacare Working? Show us the Data

Sep 30, 2015• 13

By FRED and ALMA TROTTER

As President Obama’s healthcare reform unfolds in the last years of his administration, critics and supporters alike are looking for objective data. Meaningful Use is a funding program designed to create health IT systems that, when used in combination, are capable of reporting objective data about the healthcare system as a whole. But the program is floundering. The digital systems created by Meaningful Use are mostly incompatible, and it is unclear whether they will be able to provide the needed insights to evaluate Obamacare.

Recent data releases from HHS, however, have made it possible to objectively evaluate the overall performance of Meaningful Use itself. In turn we can better evaluate whether the Meaningful Use program is providing the needed structure to Obamacare. This article seeks to make the current state of the Meaningful Use program clear. Subsequent articles will consider what the newly released data implies about Meaningful Use specifically, and about Obamacare generally.

Is Obamacare working? Where’s the data?

Sep 8, 2015• 1

By FRED and ALMA TROTTER

Anthem Arrogantly Refuses Audit Processes. Twice.

Mar 6, 2015• 2

By FRED TROTTER

Recently, I took a bunch of heat for writing that Anthem was right not to encrypt. My point was that the application encryption is just one of several security measures that add up to a security posture, and that we needed to wait until we got more information before condemning Anthem for a poor security posture.

A security posture is the combination of an organization’s overall security philosophy as well as the specific security steps that the organization takes as a result of that philosophy. Basically the type of posture taken shows whether an organization takes security and privacy seriously, or prefers a “window dressing” approach. I argued that simply knowing that the database in question did not have encryption was not enough detail to assess the Anthem security posture.

Well we have more evidence now, and its not looking good for Anthem.

Why Anthem Was Wrong Not to Encrypt

Feb 22, 2015• 27

By DAN MUNRO

Being provocative isn’t always helpful. Such is the case with Fred Trotter’s recent headline ‒ Why Anthem Was Right Not To Encrypt.

His argument that encryption wasn’t to blame for the largest healthcare data breach in U.S. history is technically correct, but lost in that technical argument is the fact that healthcare organizations are notably lax in their overall security profile. I found this out firsthand last year when I logged onto the network of a 300+ bed hospital about 2,000 miles away from my home office in Phoenix. I used a chrome browser and a single malicious IP address that was provided by Norse. I wrote about the details of that here ‒ Just How Secure Are IT Network In Healthcare? Spoiler‒alert, the answer to that question is not very.

I encourage everyone to read Fred’s article, of course, but the gist of his argument is that technically ‒ data encryption isn’t a simple choice and it has the potential to cause data processing delays. That can be a critical decision when the accessibility of patient records are urgently needed. It’s also a valid point to argue that the Anthem breach should not be blamed on data that was unencrypted, but the healine itself is misleading ‒ at best.

Anthem Was Right Not to Encrypt

Feb 9, 2015• 53

By FRED TROTTER

The Internet is abuzz criticizing Anthem for not encrypting its patient records. Anthem has been hacked, for those not paying attention.

Anthem was right, and the Internet is wrong. Or at least, Anthem should be “presumed innocent” on the issue. More importantly, by creating buzz around this issue, reporters are missing the real story: that multinational hacking forces are targeting large healthcare institutions.

Most lay people, clinicians and apparently, reporters, simply do not understand when encryption is helpful. They presume that encrypted records are always more secure than unencrypted records, which is simplistic and untrue.

Encryption is a mechanism that ensures that data is useless without a key, much in the same way that your car is made useless without a car key. Given this analogy, what has apparently happened to Anthem is the security equivalent to a car-jacking.

When someone uses a gun to threaten a person into handing over both the car and the car keys needed to make that care useless, no one says “well that car manufacturer needs to invest in more secure keys”.

In general, systems that rely on keys to protect assets are useless once the bad guy gets ahold of the keys. Apparently, whoever hacked Anthem was able to crack the system open enough to gain “programmer access”. Without knowing precisely what that means, it is fair to assume that even in a given system implementing “encryption-at-rest”, the programmers have the keys. Typically it is the programmer that hands out the keys.

Most of the time, hackers seek to “go around” encryption. Suggesting that we use more encryption or suggesting that we should use it differently is only useful when “going around it” is not simple. In this case, that is what happened.